New virus worm alert ....

New virus doing the rounds - We contracted it here via hotmail, so it got
through trends virus guard used by hotmail, got through avg with no probs,
and delivered its payload

subjects of emails have been

party invite
attachment returned
you suck!

Contains a zip file 0.33mb in size

disables the following ...

cmd, regedit and taskman

Even safe boot with command prompt will freeze

Files delivered are party.scr and invite.pif, but the pif is hidden, and
will not allow the file to be renamed to .txt it puts the .pif back to the
end of it - avg will than flag suspicious activity but it dont know what.

Any body know how to recover the disabled files without having to
re-install - they are all still there - but are being trapped somehow

TpwUK

David H. Lipman

07-09-2005, 10:48 PM

From: "Raiye" <raiye.beresford@remove.this.ntlworld.com>

| New virus doing the rounds - We contracted it here via hotmail, so it got
| through trends virus guard used by hotmail, got through avg with no probs,
| and delivered its payload
|
| subjects of emails have been
|
| party invite
| attachment returned
| you suck!
|
| Contains a zip file 0.33mb in size
|
| disables the following ...
|
| cmd, regedit and taskman
|
| Even safe boot with command prompt will freeze
|
| Files delivered are party.scr and invite.pif, but the pif is hidden, and
| will not allow the file to be renamed to .txt it puts the .pif back to the
| end of it - avg will than flag suspicious activity but it dont know what.
|
| Any body know how to recover the disabled files without having to
| re-install - they are all still there - but are being trapped somehow
|
| TpwUK
|

Please submit the ZIP file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.

>
> Please submit the ZIP file to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against 18 different AV vendor's
> scanners.
>
> Another way to submit is to send the suspect file to the following email
> address
> scan<at>virustotal.com
> { replace <at> with @ } with only the word SCAN as the subject.
>
> Please post back the EXACT results.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
This is a report processed by VirusTotal on 05/27/2005 at 13:58:11 (CET)
after scanning the file "File.zip" file.

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

Any virus seems to get through Hotmail. Just before Hotmail started to use
Trend they used McAfee online virus scanner & I proved to both Hotmail & to
McAfee that a virus was getting through the system on these 4 seperate
occassions. Not long after, Hotmail changed it online scanner

Crouchie1998
BA (HONS) MCP MCSE

Crouchie1998

07-09-2005, 10:48 PM

Hoaxes start like this. If you think you have a new virus then submit it to
SARC or McAfee...

Crouchie1998
BA (HONS) MCP MCSE

David H. Lipman

07-09-2005, 10:48 PM

From: "Crouchie1998" <crouchie1998@spamcop.net>

| Hoaxes start like this. If you think you have a new virus then submit it to
| SARC or McAfee...
|
| Crouchie1998
| BA (HONS) MCP MCSE
|

Actually it should be submitted to Virus Total. The suspect will be tested against 18
different AV vendor's scanners and the suspect is distributed to all member vendors as well
This includes Symantec and McAfee.

http://www.virustotal.com/flash/index_en.html

Based upon the resultant report, the submitter will know if it is truly new, if it is an
infector and what AV vendor's software recognizes the submission.